S.C. agencies yet to fully implement cyber protections

Jan. 6, 2013
|

Nearly three months after the South Carolina Department of Revenue breach was publicly disclosed, officials do not know the exact state of cyber security at all state agencies. (Gannett, Mykal McEldowney/The Greenville (S.C.) News) / Mykal McEldowney, The Greenville (S.C.) News

Just one of South Carolina Gov. Nikki Haley's 15 cabinet agencies questioned by the website - the Department of Probation, Pardons and Parole - responded without qualifications that it had the full basic protections experts say could have significantly reduced the chances of a data breach at the Revenue Department.

Others responded that they used the two basic defenses - encryption and a multi-password system - in parts of their systems or were working toward full implementation of both. Some reported they were considering some of the defenses or that their systems did not have the level of personal data in their computer systems that would require full implementation.

All of the cabinet agencies questioned reported their systems were being monitored or were in the process of being monitored by the Division of State Information Technology in accordance with an executive order by Haley.

Rob Godfrey, Haley's spokesman, said: "The governor signed an executive order requiring all cabinet agencies to use DSIT monitoring, and the fact that all agencies are quickly complying with that order will greatly enhance our security."

He said a security consultant has been hired "to study South Carolina's vulnerabilities and make recommendations for changes - and we look forward to working with the General Assembly to implement them as soon as they are delivered."

The responses by the cabinet agencies underscore the fact that nearly three months after the Revenue Department breach was publicly disclosed, officials do not know the exact state of cyber security at all agencies. Some legislators have argued that the state must centralize its security policies and enforcement so that all agencies follow the same procedures to protect their data.

Five agencies said they had suffered attacks by hackers on their websites in the past, the most recent of which was the defacement of the website for the Department of Employment and Workforce on Dec. 22.

Two agencies - the State Law Enforcement Division and the Department of Motor Vehicles - declined to respond to the survey, citing security concerns.

Other agencies responded but expressed concerns that publicizing their individual answers might make them more vulnerable to attack.

Investigators said the hacker who broke into the Revenue Department probably stole an employee's credentials by sending him a phishing email infected with malware, then logged into the system using remote access.

Had a multi-password system been in place, they said, even if the hacker stole the employee's credentials, he wouldn't have been able to access the system without another code, one that in many systems changes every minute.

Some of the agency's data, including most of its credit card records and information transmitted from the agency, was encrypted, officials have said. The agency studied the idea of encrypting all its data several years ago but declined after officials said it didn't appear cost-effective.

Two cabinet agencies said they used full encryption, while four reported using encryption for some data. One agency said it encrypted "much" of its data, and one said it would encrypt all data by March 30. Another agency said it used encryption on all PCs and laptops, another said it used encryption for all sensitive data housed on servers and another agency said full encryption was in progress.

'Fragmented' security

House Majority Leader Bruce Bannister, a Republican from Greenville, S.C., who is leading the committee investigating the Revenue Department hacking, said the responses by cabinet agencies highlight how inconsistent cyber security is in state government.

"That's a good example of how fragmented our state data-security system is," he said. "Even the ones that are directly controlled by the governor aren't implementing the basic three standard precautions that everybody agrees should have been implemented at the Department of Revenue long before the breach."

Bannister said he understands why some agencies wouldn't want to encrypt all of their data if some of it doesn't include personal information or are records that are publicly available.

But he said from his experience, many agencies have personal information. He said either such information shouldn't be stored on computer systems or it should be adequately protected.

The survey didn't include the Revenue Department, which at the time of the September 2012 breach wasn't using a multi-password system, didn't encrypt all its sensitive data and had declined free monitoring services by the state's IT office for its network.

Experts have told lawmakers that those steps are considered basic by many organizations with large databases of sensitive information and could have significantly reduced the chances of the agency's data being breached.

Haley disclosed the Revenue Department breach Oct. 26, 16 days after the U.S. Secret Service notified the state that the agency's data had been breached and some of the records taken by hackers.

Bannister said he believes legislators will propose legislation or rules changes to be sure all agencies with any personal data of any citizen "follow at least the market standard for data security," which he said would be multi-passwords, encryption of all personal data and network monitoring by the state's information technology office.

Stu Sjouwerman, CEO and founder of KnowBe4.com, a cyber security training company, said encryption and multi-passwords are parts of a "defense-in-depth" system, in which organizations protect their data with a layered approach that starts with employee training and includes firewalls, intrusion detection, application protection and encryption of data.

But he said the state also could enhance its security if it had across-the-board security procedures, including cyber-security awareness training, and one entity to enforce security policies.

"A centralized, top-down authority that more or less lays down the law and requires people to comply with a certain set of security standards is the only way this will actually get fixed," he said.

The state also needs to assess its sensitive data and find where it is on each system so it can prioritize its protection, he said. Officials are currently in search of a consultant who will assess each agency's sensitive data and its security and help the state craft an overall cyber-protection plan.

"In the South Carolina case, obviously you're dealing with closing the door after the horse has bolted," he said. "But you don't want to have this happen again and someone do the same thing."